Juan Camilo fd5e954990 fix: restrict .openclaude-profile.json permissions to owner-only (0600) ...

The profile file may contain API keys (OPENAI_API_KEY, CODEX_API_KEY,
GEMINI_API_KEY) in plain text. Without explicit permissions, writeFileSync
uses the process umask — on systems with permissive umask (0022), the file
is world-readable (644), exposing credentials to other users.

Relates to #24

Co-Authored-By: Juan Camilo <juancamilo.auriti@gmail.com>

2026-04-01 15:34:37 +02:00

4.2 KiB

Raw Blame History

View Raw